Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Encryption required for Website storing personal details - GDPR

Options
  • 19-11-2019 2:09pm
    #1
    19233974
    Registered Users Posts: 120 ✭✭


    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?


Comments

  • Options
    #2
    Baz_
    Registered Users Posts: 2,660 ✭✭✭Baz_


    Not to be too smart of an arse, but have you tried a search engine?


  • Options
    #3
    daymobrew
    Registered Users Posts: 6,491 ✭✭✭daymobrew


    AFAIK GDPR has nothing to do with encryption but to ensure you have permission to store data. Obviously you should do your best to ensure that access to the data is limited to authorised persons e.g. good passwords and secure code.


  • Options
    #4
    listermint
    Registered Users Posts: 33,640 ✭✭✭✭listermint


    Data should be obfuscated in he dB. It should only be stored if it has a current applicable need between the business and the customer. Once that need has expired the data should be wiped in full.

    Access to the data should be limited and should be logged when it has been accessed or modified.

    There should be regular automated processes to remove any expired data. So your retention policies need to be robust.


  • Options
    #5
    BailMeOut
    Registered Users Posts: 2,962 ✭✭✭BailMeOut


    GDPR has rules relating to data breach or if data is stolen so you need to protect the user data properly. Encrypting the at rest mysql data is a good start but all the other normal best practises on security should be adhered to. Is the server behind a firewall, are proper rules in place, are you fully security patched all the time, do you use MFA and good passwords,SSL, etc,. ..

    Is this website publiclly accessible?


  • Options
    #6
    CSSE09
    Registered Users Posts: 519 ✭✭✭CSSE09


    If you haven't already done it make sure the site is using ssl


  • Advertisement
  • Options
    #7
    28064212
    Registered Users Posts: 10,472 ✭✭✭✭28064212


    GDPR isn't prescriptive (it can't be). It states:
    Article 5.1.f wrote:
    Personal data shall be:
    ...
    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
    "Appropriate security" is going to be highly dependent on your specific situation.

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Options
    #8
    biko
    Registered Users Posts: 81,223 ✭✭✭✭biko


    https://gdpr-info.eu/issues/encryption/


  • Options
    #9
    Jim2007
    Moderators, Business & Finance Moderators Posts: 10,001 Mod ✭✭✭✭Jim2007


    19233974 wrote: »
    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?

    Well if you are hosting the website on a hosting service not under your control it really won't matter what encryption you use, it will be in breach of the rules in any case.


  • Options
    #10
    DeconSheridan
    Registered Users Posts: 141 ✭✭DeconSheridan


    19233974 wrote: »
    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?
    At the high end your Business will be ISO/IEC 27001 compliant.
    At the low end your going to implement your own version of Information security by the choices you make.

    Encrypting the DB storage should really be the least of your worries and id be more focused on the front end attack vectors such as logins and admin logins, privileges users both customers and workers have and db service accounts asking the database server for data.

    A common mistake many make is having the Web Application DB credentials to your Database a Super user :eek: on the DB when really they might only require to RW and update credentials but maybe more. This can lead to potential disasters in the event of a breach and loss of data even whole databases.

    You do really need to lock down the Web Server and Database from the perspective of Sessions and Logins and who has access and what accounts are doing what including DB Service accounts.

    As Always backups (Regular) are king and can and do save the day! Id recommend VEEM, i'm not affiliated...


Advertisement